NIST shares tool for vetting mobile apps
Open source project lets developers plug in their own tools for risk assessment.
The National Institute of Standards and Technology has launched a web-based application for developers to assess their self-created mobile apps for risk and hosting requirement conformity. The app, called AppVet, is free to use and is designed to be accessed through a browser.
While NIST does not host or run AppVet for public use -- "NIST does not accredit or approve apps," the project's FAQ flatly states -- the tool can be downloaded and run by any interested organization.
“AppVet is a simple web-based application for vetting mobile apps,” according to NIST. “It facilitates the app vetting workflow by providing an intuitive user interface for submitting and testing apps, accessing reports, and assessing risk.”
The process begins when someone submits an app, which is analyzed by extracting its metadata. Once analyzed, additional functionality can be provided according to the requirements of the hosting organization. The app and its information are then sent to other tools for assessment and an overall report is generated.
It was designed for developers, analysts and app stores and can be easily integrated with third-party tools, such as static and dynamic analyzers, anti-virus scanners and vulnerability repositories. And the risk assessment that it generates is ultimately determined by those third-party components. Users are strongly urged to use a standardized approach such as the Common Vulnerability Scoring System to make risk assessments.